Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Countermeasures
Version 6
Module X
Sniffers
Scenario
Jamal, is an electrician who fixes electrical and
network
k cables.
bl H
He was called
ll d iin ffor a regular
l
inspection at the premises of XInsurance Inc.
Jamal was surprised at his findings during a
routine check of the AC ducts in the enterprise.
The LAN wires were laid through the ducts.
He was ttempted
H
t d tto fi
find
d th
the iinformation
f
ti fl
flowing
i
through the LAN wires.
What can Jamal do to sabotage the network?
What information can he obtain and how
sensitive is the information that he would
obtain?
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This module will familiarize you with:
EC-Council
Sniffing
Protocols vulnerable to sniffing
Types of sniffing
ARP and ARP spoofing attack
Tools for ARP spoofing
MAC flooding
Tools for MAC flooding
Sniffing tools
Types of DNS poisoning
Raw sniffing tools
Detecting
g sniffing
g
Countermeasures
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Sniffing Definition
Protocols Vulnerable
to Sniffing
Types of Sniffing
ARP and
ARP Spoofing Attack
Detecting Sniffing
MAC Flooding
Countermeasures
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Definition: Sniffing
Sniffing is a data interception technology
Sniffer is a p
program
g
or device that captures
p
the vital information from the network traffic
specific to a particular network
The objective of sniffing is to
steal:
Passwords (from email, the web, SMB, ftp,
SQL, or telnet)
Email text
Files in transfer (email files, ftp files, or
SMB)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Sniffing
EC-Council
Passive sniffing
Active sniffing
Sniffing
iffi through
h
ha
Hub
Sniffing
iffi through
h
ha
Switch
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Passive Sniffing
Attacker
HUB
It is called p
passive because it is difficult to
detect
Passive
Passive sniffing
sniffing means sniffing through a hub
LAN
EC-Council
Active Sniffing
Switch
Attacker
An attacker tries to
poison switch by
sending bogus MAC
addresses
~
~
~
LAN
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Look@LAN
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Look@LAN
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Look@LAN
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark
Wireshark is a network
protocol analyzer for UNIX
and Windows
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Filtering
g byy multiple
p IP Addresses
ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5
Other Filters
ip.dst
p
== 10.0.1.50
5 && frame.pkt
p _len > 4
400
ip.addr == 10.0.1.12 && icmp && frame.number > 15
&& frame.number < 30
ip.src==205.153.63.30 or ip.dst==205.153.63.30
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example: Follow the stream of HTTP session and save the output to a file.
file
Command: Selecting a TCP packet in Summary Window and then selecting
Analyze -> Follow TCP Stream from menu bar will display Follow
Follow TCP
Stream window
You can also right-click
g
on a TCP p
packet in Summaryy Window and choose Follow
TCP Stream to display window
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pilot
Pilot is a powerful network analysis tool with an accessible
and
d visually-oriented
i
ll
i t d user interface
i t f
d
designed
i
d tto iincrease
your troubleshooting effectiveness
Benefits:
Integrated
d with
i h Wireshark
i h k
Powerful Network Analysis Engine
Pilot Views: Flexible Analysis and Visualization
Paradigm
g
Pilot Charts: Innovative Visualization
Components
Drill-Down: An Innovative Analysis Paradigm
Unparalleled Wireless Support with AirPcap
Superior Reporting Capabilities
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pilot: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pilot: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Pilot: Screenshot 3
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tcpdump
Tcpdump is a common
computer network
debugging tool that runs
under
d command
d li
line
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tcpdump Commands
Exporting
p
g tcpdumps
p
p to a file
# tcpdump port 80 -l > webdump.txt & tail -f
webdump.txt
w rawdump
# tcpdump -w
# tcpdump -r rawdump > rawdump.txt
# tcpdump -c1000 -w rawdump
# tcpdump -i eth1 -c1000 -w rawdump
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Filter by protocol
# tcpdump udp
# tcpdump ip proto OSPFIGP
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wiretap
Wiretapping is the monitoring of telephone and Internet
conversations by a third party
The monitoring connection was applied to the wires of the
telephone line being monitored and a small amount of the
electrical
l t i l signal
i
l carrying
i th
the conversation
ti gett ttapped
d
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
RF Transmitter Wiretaps
In radio frequency (RF) transmitter tap technique, a small RF
transmitter
i
is
i attached
h d to the
h telephone
l h
li
line or within
i hi the
h
telephone instrument
In these wiretaps,
iretaps a
audio
dio fl
fluctuations
ct ations from the telephone
conversation modulate the transmitter carrier that transmit
the conversation into free air space
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Infinity Transmitter
An infinity transmitter is the device used as a wiretap to
monitor
it th
the communication
i ti
It operates independent of the telephone instrument and
requires
i
its
i own telephone
l h
li
line
It can be called from a remote telephone and activated with a
tone signal
i
l
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SPAN Port
SPAN port is the port to which sniffer is attached and configured to receive a
copy of every packets sent from the source host to the destination host
Source (SPAN) port: A port that is monitored with the use of the SPAN feature
Destination (SPAN) port: A port that monitors source ports, usually where a
network analyzer is connected
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Lawful Intercept
Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to
perform electronic surveillance on an individual (a target) as authorized by a
judicial or administrative order
The surveillance is performed through the use of wiretaps on traditional
telecommunications and Internet services in voice,
voice data
data, and multiservice
networks
The LEA delivers a request
q
for a wiretap
p to the target's
g
service p
provider,, who is
responsible for intercepting data communication to and from the individual
The service provider uses the target's
target s IP address or session to determine which
of its edge routers handles the target's traffic (data communication)
The service provider then intercepts the target's traffic as it passes through the
router and
d sends
d a copy off the
h iintercepted
d traffic
ffi to the
h LEA without
ih
the
h target's
'
knowledge.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ARP Poisoning
Hey 10.1.1.1 are
you there?
Switch
Legitimate User
Step 3: Malicious user
eavesdrops on the ARP request
and responds after the
legitimate user spoofs the
l iti t response and
legitimate
d sends
d
his malicious MAC address to
the originator of the request
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mac Duplicating
MAC duplicating attack is launched by sniffing network
for MAC addresses of clients who are actively associated
with a switch port and re-use one of those addresses
By listening to the traffic on the network, a malicious user
can intercept and use a legitimate user's MAC address
An attacker will receive all the traffic destined for that the
legitimate user
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Switch
Legitimate User
Attacker
EC-Council
Internet
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ettercap
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ArpSpyX
ArpSpyX passively sniffs network ARP packets and displays IP and MAC
address of the machine that g
generates p
packet
ArpSpyX supports two methods of
scanning:
The first method is a passive mode which only listens for traffic without
sending any packets
The second method is active and will send out arp who-has requests for
every IP address on your subnet
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ArpSpyX: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MAC Flooding
MAC flooding
g involves flooding
g switch with
numerous requests
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Macof: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Source: http://ntsecurity.nu/toolbox/etherflood/
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Intercept data
passwords
Collect p
Manipulate data
Tap VoIP phone calls
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ARPWorks Tool
ArpWorks is a utility
for sending customized
ARP announce
packets over the
network
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Nemesis
Nemesis provides an interface to craft and inject a variety of arbitrary packet
types
It is also used for ARP Spoofing
Nemesis supports the
following protocols:
arp
dns
ethernet
icmp
igmp
p
ip
ospf
rip
tcp
udp
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP-based Sniffing
IP-based Sniffing is the original way of packet sniffing
It works by putting network card into the promiscuous mode and sniffing all
packets matching the IP address filter
IP address filter can capture all packets even though it is not set
This method only works in non-switched networks
AntiSniff
AntiSniff program determines if a device is listening to the traffic on the
local network
AntiSniff DNS test is vulnerable to a buffer overflow that would allow an
attacker
tt k tto execute
t an arbitrary
bit
code
d b
by sending
di a malformed
lf
d DNS packet
k t tto
the system running AntiSniff
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Sniffing
g Tools
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
dnsspoof
Forges replies to DNS address and pointer queries
dsniff
Password sniffer
filesnarf
Sniffs files from NFS traffic
mailsnarf
Sniffs mail messages in Berkeley mbox format
msgsnarf
Sniffs chat messages
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
tcpkill
Kills TCP connections on a LAN
tcpnice
Slows down TCP connections on a LAN
urlsnarf
Sniffs HTTP requests in Common Log Format
webspy
ebsp
Displays sniffed URLs in Netscape in real time
webmitm
HTTP/HTTPS monkey-in-the-middle
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dsniff: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
O l SSH protocol
Only
t
l version
i 1 iis ((or ever will
ill b
be)) supported
t d
sshmitm [-d] [-I] [-p port] host [port]
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Webspy: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Router
IP 10.0.0.254
Real Website
www.xsecurity.com
IP: 200.0.0.45
DNS Request
Rebecca types
www.xsecurity.com
y
in her
Web Browser
IP: 10.0.0.3
Hacker poisons
the router and
all the router
traffic is
forwarded to his
machine
Hacker runs
arpspoof/dnsspoof
f/d
f
www.xsecurity.com
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
www.xsecurity.com
2
Rebecca types
www.xsecurity.com in
h Web
her
W b Browser
B
IP: 200.0.0.45
3
Fake Website
IP: 65.0.0.2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2
Rebecca types
www.xsecurity.com in
her Web Browser
Fake Website
IP: 65.0.0.2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
If the server does not correctly validate DNS responses to ensure that
they have come from an authoritative source, the server will end up
caching the incorrect entries locally and serve them to users that
make the same request
For example,
example an attacker poisons the IP address DNS entries for a target
website on a given DNS server, replacing them with the IP address of a
server he/she controls
He then creates fake entries for files on the server he/she controls with
names matching
hi those
h
on the
h target server
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dan
ATTACKER
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snort
Windump/tcpdump
Etherpeek
Mac Changer
Ntop
Iris
pf
IPTraf
Etherape
EC-Council
NetIntercept
WinDNSSpoof
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
An HTTP
protocol packet
sniffer and
network analyzer
EC-Council
It captures IP
packets
containing
g HTTP
protocol
It parses and
decodes the
HTTP protocol,
and g
generates a
web traffic report
for reference
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Win Sniffer
Win Sniffer allows network administrators to capture passwords of any network user
Administrators can assess the danger of clear text passwords in the network and develop
ways to improve security using win sniffer
It has integrated technology that allows to reconstruct network traffic in a format that is
simple to use and understand
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
MSN Sniffer
MSN Sniffer
captures MSN
chat on a
network
k
It records MSN
conversations
automatically
All intercepted
messages can be
saved as HTML
files for later
processing
i and
d
analyzing
Everything will
be recorded
without being
d
detected
d
Capturing
p
g Messages
g
Sniffer
Chatting
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SmartSniff
SmartSniff is a TCP/IP packet capture program that allows you to inspect
the network traffic that passes through your network adapter
It is a valuable tool to check what packets your computer is sending to the
outside world
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMAC
SMAC is a MAC Address
Modifying Utility (spoofer) for
Windows 2000, XP, and
Server 2003 systems
It displays the network
information of available
network
t
k adapters
d t
on one
screen
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetSetMan Tool
NetSetMan allows you to quickly switch between pre-configured network settings
It is ideal for ethical hackers who have to connect to different networks all the time and
need to update their network settings each time
It allows yyou to create 6 p
profiles including
g IP address settings,
g , Subnet Mask,, Default
Gateway, and DNS servers
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ntop
Ntop is a network
traffic probe that
shows the network
usage
In interactive mode, it
displays
p y the network
status on the users
terminal
In web mode, it acts as
a web server, creating
an html dump
p of the
network status
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EtherApe
EtherApe is a graphical
network monitor for Unix
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EtherApe Features
Network traffic is displayed graphically. The more talkative a node is, the
bigger is its representation
A user may select what level of the protocol stack to concentrate on
A user may either look at the traffic within a network, end to end IP, or
even po
eve
portt to po
portt TCP
C
Data can be captured off the wire from a live network connection, or
read from a tcpdump capture file
Data display can be refined using a network filter
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Probe
Network Probe network monitor
and protocol analyzer gives the
user an instant picture of the
traffic situation on the target
network
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features:
Real-time network
traffic statistics
Scheduled
S h d l d network
t
k
traffic reports
Online view of incoming
packets
Multiple
l l d
data color
l
options
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Snort
There are three main modes in which
Snort can be configured: sniffer, packet
l
logger,
and
d network
k iintrusion
i detection
d
i
system
Sniffer mode reads the packets off of the
network and displays them for you in a
continuous stream on the console
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Windump
WinDump is the porting to the Windows platform of tcpdump, the
most used network sniffer/analyzer for UNIX
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Etherpeek
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetIntercept
A sniffing tool that studies external break-in attempts, watches for the misuse of confidential data,
displays the contents of an unencrypted remote login or web session, categorizes or sorts traffic by
dozens of attributes, and searches traffic by criteria such as email headers, websites, and file names
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetIntercept: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetIntercept: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Colasoft EtherLook
Colasoft EtherLook is a TCP/IP network monitoring tool for Windows-based
platforms
It monitors the real time traffic flowing around the local network and to/from
the Internet efficiently
Traffic Analysis module enables to capture the network traffic in real time,
displays data received and sent by every host in LAN in different views
E
Email
il Analysis
A l i M
Module:
d l C
Captures
t
email
il messages and
d restores
t
it
its
contents including sender, recipient, subject, protocol, etc
Web Analysis Module: Allows detailed tracking of web accesses from the
network
Login Analysis Module: Analyzes all data logins within the network and
records all the related data
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It also offers Email Analysis, Web Analysis, and Transaction Analysis modules,
which allow you to quickly view the email traffic
It also offers custom filtering options, data export, customizable interface, and
more
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CommView
CommView is a program for monitoring the network activity capable of
capturing and analyzing packets on any Ethernet network
It gathers information about data flowing on a LAN and decodes the analyzed
data
With CommView, you can view the list of network connections and vital IP
statistics and examine individual packets
It decodes the IP packets down to the lowest layer with full analysis of the main
IP protocols: TCP, UDP, and ICMP
It also provides full access to the raw data
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CommView: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sniffem
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sniffem: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetResident
NetResident is a network traffic monitor that
captures stores
captures,
stores, and analyzes all the packet traffic
from selected protocols
It reconstructs each event and displays a preview of
the web page, email message, or other
communication that takes place, including
transmitted (unencrypted) passwords
NetResident supports standard HTTP, FTP, and
Mail protocols, as well as special protocols via plugins (ICQ, MSN, News)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetResident: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP Sniffer
IP sniffer is a protocol analyzer that uses XP/2K Raw Socket features
It supports filtering rules, adapter selection, packet decoding, advanced
protocol description, and more
Detailed information about each packet is provided in a tree-style view, and
the right-click menu allows to resolve or scan the selected source IP address
Additional features include:
Adapter statistics
IP traffic monitoring
Traceroute
Ping
Port scanning
TCP/UDP/ICMP spoofing options
Open tcp/udp ports attached to process
Mac
M address
dd
changing
h
i
DNS/WINS/SNMP/WHOIS/DHCP queries
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP Sniffer: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sniphere
Sniphere is a WinPCAP network sniffer that supports most of common
protocols
Sniphere allows to set filters based on IP, Mac Address, ports, protocol etc. and
also
l decodes
d d packages
k
iinto
t an easy tto understand
d t d fformatt
In addition, session logs can be saved in XML format and selected packets
copied to clipboard
Sniphere supports most common protocols, including IP, TCP, UDP, and ICMP
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sniphere: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IE HTTP Analyzer
IE HTTP Analyzer is an add-in for Internet Explorer,
that allows to capture
p
HTTP/HTTPS
/
traffic in realtime
It displays a wide range of information, including
Header, Content, Cookies, Query Strings, Post data,
and redirection URLs
It also provides cache information and session
cclearing,
ea g, as well
e as HTTP status code information
o at o
and several filtering options
A useful developer tool for performance analysis,
debugging, and diagnostics
IE HTTP Analyzer integrates into lower part of IE
browser window and can be opened/closed from IE
toolbar
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BillSniff
BillSniff is a network protocol analyzer (sniffer) that provides detailed
information about current traffic, as well as overall protocol statistics
BillSniff can also be used to send packets and script custom protocols
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BillSniff: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
URL Snooper
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It can rebuild
b
the HTTP sessions and reassemble
b
files sent through the HTTP protocol
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AnalogX Packetmon
AnalogX Packetmon allows to capture IP packets that pass through the
networks
t
k interface
i t f
- whether
h th they
th originated
i i t d ffrom th
the machine
hi on which
hi h
PacketMon is installed or a completely different machine on the network
Once the
O
h packet
k iis received,
i d iit can use b
built
il in
i viewer
i
to examine
i h
header
d as well
ll
as contents, and it can also export results into a standard comma-delimited file
for further processing
It captures to ensure you get exactly what you want, without having to dig
through tons of unrelated information
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Program
g
displays
p y information in a nicelyy organized
g
overview, sorted by the user and contact address
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IPgrab
IPgrab
g
can do whatever it likes with the resulting
g image
g of a p
packet
Packet sniffers have been used for many years to detect network problems,
troubleshoot protocols
protocols, and detect intruders
IPgrab also supports a minimal mode in which all information about all parts of
a packet are displayed in a single line of text
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ipgrab: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EtherScan Analyzer
EtherScan Analyzer
y
is a network traffic and p
protocol analyzer
y
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Sniffing
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (contd)
Another way to prevent the network from being sniffed is to change
the network to SSH
There are various methods to detect a sniffer in a network:
Ping method
ARP method
Latency method
Using IDS
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (contd)
Small Network
Use of static IP addresses and static ARP
tables
bl prevent hackers
h k
from
f
adding
ddi
spoofed ARP entries for machines in the
network
Large Networks
Enable network switch port security
features
Use ArpWatch
h to monitor Ethernet
h
activity
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Countermeasures (contd)
There are various tools to detect a
sniffer in a network:
ARP Watch
Promiscan
Antisniff
Prodetect
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AntiSniff Tool
AntiSniff tool can detect machines on the network that are running in
tthee p
promiscuous
o scuous mode
ode
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ArpWatch Tool
ArpWatch
A
W h is
i a tooll
that monitors the
Ethernet activity and
p a database of
keeps
Ethernet/IP address
pairings
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PromiScan
PromiScan is a renowned sniffing node detection tool
It provides continuous monitoring to detect starting and ending
promiscuous applications,
applications without increasing the network load
Features:
Cyclic scanning
Slow scanning supported
Logging
i
Node Viewer
Warning Window
Logging with SYSLOG
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PromiScan: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
proDETECT
proDETECT is an open source promiscious
mode scanner with a GUI
It uses the
h ARP packet
k analyzing
l i technique
h i
to detect adapters in promiscious mode
This tool can be used by security
administrators to detect sniffers in a LAN
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It captures and analyzes all traffic transport over both Ethernet and
WLAN networks and decodes all major TCP/IP and application
protocols
IIts advanced
d
d application
li i analysis
l i modules
d l allows
ll
you to view
i and
d llog k
key
communication applications such as emails, http traffic, instant
messages, and DNS queries
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Sniffing allows to capture vital information from network traffic. It can
b done
be
d
over the
h h
hub
b or the
h switch
i h ((passive
i or active)
i )
Passwords emails,
Passwords,
emails and files can be grabbed by means of sniffing
ARP poisoning can be used to change the switch mode of the network to
the Hub mode and subsequently carry out packet sniffing
Wireshark, Dsniff, Sniffit, Aldebaran, Hunt, and NGSSniff are some of
the most popular sniffing tools
The best way to be secured against sniffing is to use encryption, and
apply the latest patches or other lockdown techniques to the system
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited